Limit keycloak redirect urls #491
Conversation
Signed-off-by: Anatolii Bazko <abazko@redhat.com>
tolusha
requested review from
davidfestal,
nickboldt and
vparfonov
as code owners
|
@tolusha: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
templates/keycloak_provision
Outdated
| @@ -20,7 +20,7 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \ | |||
| -s clientId=$keycloakClientId \ | |||
| -s id=$keycloakClientId \ | |||
| -s 'webOrigins=["http://$cheHost", "https://$cheHost"]' \ | |||
| -s 'redirectUris=["http://$cheHost/*", "https://$cheHost/*"]' \ | |||
| -s 'redirectUris=["http://$cheHost/dashboard/", "https://$cheHost/dashboard/", "http://$cheHost/workspace-loader/", "https://$cheHost/workspace-loader/", "http://$cheHost/_app/loader.html", "https://$cheHost/_app/loader.html"]' \ | |||
There was a problem hiding this comment.
What about an ability to get token from localhost? I kept in mind running local dashboard/workspace-loader instance without modifying redirects uris manually on each new cluster, but I assume it could also help chectl server:login do login through web interface, as https://github.com/int128/kubelogin is able to do.
I assume it should be safe to do since it's allowed on OpenShift.io oauth.
There was a problem hiding this comment.
I am not sure that it is secure, who can confirm that?
There was a problem hiding this comment.
@ibuziuk Could you help to discover the answer here?
There was a problem hiding this comment.
Seems _app/oauth.html needs to be added here as well https://github.com/eclipse/che/blob/master/assembly/assembly-root-war/src/main/webapp/_app/oauth.html.
What if we even add _app/* since we are sure that _app is an application hosted by Che Server and we don't really need to list them one by one. @skabashnyuk WDYT?
|
/retest |
| @@ -20,7 +20,7 @@ if [ $? -eq 0 ]; then echo "Realm exists"; exit 0; fi \ | |||
| -s clientId=$keycloakClientId \ | |||
| -s id=$keycloakClientId \ | |||
| -s 'webOrigins=["http://$cheHost", "https://$cheHost"]' \ | |||
| -s 'redirectUris=["http://$cheHost/*", "https://$cheHost/*"]' \ | |||
| -s 'redirectUris=["http://$cheHost/dashboard/*", "https://$cheHost/dashboard/*", "http://$cheHost/workspace-loader/*", "https://$cheHost/workspace-loader/*", "http://$cheHost/_app/*", "https://$cheHost/_app/*"]' \ | |||
There was a problem hiding this comment.
Not really related to the current PR but can we instead of duplication http and https redirects just provide the right protocol via parameter as we provide $cheHost? It would help us be more secure and make sure token if not send through http when https is configured
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: sleshchenko, tolusha The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Anatolii Bazko abazko@redhat.com
Reference issue
eclipse-che/che#17902